The Hacker News — Cyber Security, Hacking, Technology News

The Shadow Brokers, a notorious hacking group that leaked several hacking tools from the NSA, is once again making headlines for releasing another NSA exploit—but only to its "monthly dump service" subscribers.

Dubbed UNITEDRAKE, the implant is a "fully extensible remote collection system" that comes with a number of "plug-ins," enabling attackers to remotely take full control over targeted Windows computers.

In its latest post, the hacking group announced a few changes to its monthly dump service and released encrypted files from the previous months as well.

Notably, the September dump also includes an unencrypted PDF file, which is a user manual for the UNITEDRAKE (United Rake) exploit developed by the NSA.

According to the leaked user manual, UNITEDRAKE is a customizable modular malware with the ability to capture webcam and microphone output, log keystrokes, access external drives and more in order to spy on its targets.

The tool consists of five components—server (a Listening Post), the system management interface (SMI), the database (to store and manage stolen information), the plug-in modules (allow the system capabilities to be extended), and the client (the implant).

Snowden Leak Also Mentions UNITEDRAKE

The Snowden documents suggested the agency used the tool alongside other pieces of malware, including CAPTIVATEDAUDIENCE, GUMFISH, FOGGYBOTTOM, GROK, and SALVAGERABBIT, to infect millions of computers around the world.

CAPTIVATEDAUDIENCE is for recording conversations via the infected computer's microphone

GUMFISH is for covertly taking control over a computer’s webcam and snap photographs

SALVAGERABBIT is for accessing data on removable flash drives that connect to the infected computer.

New Terms for Shadow Brokers Monthly Dump Service

The Shadow Brokers is now only accepting payments in ZCash (ZEC) from its monthly subscribers, rather than Monero since it uses clear text email for delivery, and has also raised the rates for exploits, demanding nearly $4 Million.

The group demanded 100 ZEC when it started its first monthly dump service in June, but now the hackers are demanding 16,000 ZEC (which costs $3,914,080 in total) for all NSA dumps. Zcash currently trades at $248 per unit.

Those who want to gain access only to the September dump that includes the new NSA malware files need to pay hackers 500 ZEC.

The Shadow Brokers gained popularity after leaking the SMB zero-day exploit, called Eternalblue, that powered Wannacry ransomware attack that crippled large businesses and services around the world in May.

After that, the mysterious hacking group announced a monthly data dump service for those who want to get exclusive access to the NSA arsenal, which they claim to have stolen from the agency last year.

The Shadow Brokers, a notorious hacking group that leaked US cyberweapons — which were also abused by the recent ransomware disasters WannaCry and Petya or NotPetya — has now threatened to unmask the identity of a former hacker who worked for the NSA.

Besides this, the Shadow Brokers group has also doubled the price for its monthly subscription model of NSA's built hacking tools and zero-day exploits from 100 ZEC (Zcash) to 200 ZEC, which is around $64,400 USD.

Moreover, the hacking group has also announced a VIP service for people, who will be entertained by the group for their queries on the leaked hacking tools and exploits.

To subscribe to the VIP service, one has to make a one-time payment of 400 ZEC (around US$128,800).

Last month, the Shadow Brokers announced to release more zero-days exploits and hacking tools developed by the US spy agency every month from June 2017, but only to private members who will subscribe for receiving exclusive access to the future leaks.

The Shadow Brokers' June data dump costs 100 ZEC, but after looking at successful growth in the number of subscribers for this month, the group said it is raising the price for the next month's subscription.

Threatens to Unmask Equation Group Hacker

In typically broken English, the mysterious hacking group threatened to unmask a former member of the NSA's elite hacking group called Equation Group, who developed several hacking tools to break into Chinese organizations.

The Shadow Brokers did not reveal much about the former Equation Group member, except that the person is living in Hawaii and currently a "co-founder of a new security company and is having much venture capital."

The group, who called the NSA Equation Group member as "doctor," threatened because of his/her "ugly tweets" targeting the Shadow Brokers.

"TheShadowBrokers is having special invitation message for 'doctor' person theshadowbrokers is meeting on Twitter. 'Doctor' person is writing ugly tweets to theshadowbrokers," the group said. "Then doctor person is deleting ugly tweets, maybe too much drinking and tweeting?"

"TheShadowBrokers is hoping 'doctor' person is deciding to subscribe to dump service in July. If theshadowbrokers is not seeing subscription payment with corporate email address of doctor@newsecuritycompany.com then theshadowbrokers might be taking tweets personally and dumping data of 'doctor' persons hacks of China with real id and security company name."

Well, that's enough of a threat.

Since June is going to end, it seems like the Shadow Brokers subscribers who paid in June will start receiving zero-day exploit and hacking tools from the first week of July.

Although what the June dump would contain is not clear at the moment, the group's last announcement claimed that the upcoming data dump would include:

Script kiddies and online criminals around the world have reportedly started exploiting NSA hacking tools leaked last weekend to compromise hundreds of thousands of vulnerable Windows computers exposed on the Internet.

Last week, the mysterious hacking group known as Shadow Brokers leaked a set of Windows hacking tools targeting Windows XP, Windows Server 2003, Windows 7 and 8, and Windows 2012, allegedly belonged to the NSA's Equation Group.

What's Worse? Microsoft quickly downplayed the security risks by releasing patches for all exploited vulnerabilities, but there are still risks in the wild with unsupported systems as well as with those who haven't yet installed the patches.

Multiple security researchers have performed mass Internet scans over the past few days and found tens of thousands of Windows computers worldwide infected with DoublePulsar, a suspected NSA spying implant, as a result of a free tool released on GitHub for anyone to use.

Security researchers from Switzerland-based security firm Binary Edge performed an Internet scan and detected more than 107,000 Windows computers infected with DoublePulsar.

A separate scan done by Errata Security CEO Rob Graham detected roughly 41,000 infected machines, while another by researchers from Below0day detected more than 30,000 infected machines, a majority of which were located in the United States.

The impact? DoublePulsar is a backdoor used to inject and run malicious code on already infected systems, and is installed using the EternalBlue exploit that targets SMB file-sharing services on Microsoft's Windows XP to Server 2008 R2.

Therefore, to compromise a machine, it must be running a vulnerable version of Windows OS with an SMB service expose to the attacker.

Both DoublePulsar and EternalBlue are suspected as Equation Group tools and are now available for any script kiddie to download and use against vulnerable computers.

Once installed, DoublePulsar used hijacked computers to sling malware, spam online users, and launch further cyber attacks on other victims. To remain stealthy, the backdoor doesn't write any files to the PCs it infects, preventing it from persisting after an infected PC is rebooted.

While Microsoft has already patched majority of the exploited flaws in affected Windows operating systems, those who have not patched are vulnerable to exploits such as EternalBlue, EternalChampion, EternalSynergy, EternalRomance, EmeraldThread, and EducatedScholar.

Moreover, systems that are still using end-of-life platforms like Windows XP, Windows Server 2003, and IIS 6.0, which no longer received security updates, are also vulnerable to the in-the-wild exploits.

Since it takes hackers roughly a few hours to download the Shadow Brokers dump, scan the Internet with the tool released on Monday, and deliver hacking exploits, researchers are expecting more vulnerable and unpatched computers to fall victims to DoublePulsar.

After this news had broken, Microsoft officials released a statement saying: "We doubt the accuracy of the reports and are investigating."

Meanwhile, Windows users who haven't applied MS17-010 by now are strongly advised to download and deploy the patches as soon as possible.

A hackers group that previously claimed to have stolen a bunch of hacking tools (malware, zero-day exploits, and implants) created by the NSA and gained popularity last year for leaking a portion of those tools is back.

Today, The Shadow Brokers group released more alleged hacking tools and exploits that, the group claims, belonged to "Equation Group" – an elite cyber attack unit linked to the NSA.

Besides dumping some NSA's hacking tools back in August 2016, the Shadow Brokers also released an encrypted cache of files containing more NSA's hacking tools and exploits in an auction, asking for 1 Million Bitcoins (around $568 Million).

However, after failed auction, the group put up those hacking tools and exploits for direct sale on an underground website, categorizing them into a type — like "exploits," "Trojans," and "implant" — each of which ranged from 1 to 100 Bitcoins (from $780 to $78,000).

Now, the Shadow Brokers has finally released password for the encrypted cache of NSA's files, allowing anyone to unlock and download the auction data dump.

CrDj”(;Va.*NdlnzB9M?@K2)#>deB7mN

The password mentioned above for the encrypted NSA files was made public through a blog post published today.

The blog post, titled "Don't Forget Your Base," has been written as an open letter to President Donald Trump, containing political views expressed by the Shadow Brokers on Trump's recent policies and events, like the Goldman Sach, the air strike against Syria and removal of Steve Bannon from the National Security Council, among others.

A security researcher, who uses Twitter handle x0rz, has uploaded all files after decryption on Github and confirmed that the archive includes:

The TOAST framework that NSA's TAO (Tailored Access Operations) team used to clean logs of Unix wtmp events.

The Equation Group's ElectricSlide tool that impersonates a Chinese browser with fake Accept-Language.

The evidence of the NSA operators' access inside the GSM network of Mobilink, one of the Pakistan's popular mobile operator companies.

More key findings will come as soon as other security researchers delve into the dump.

At the time, it's not confirmed whether the group holds more NSA hacking tools and exploits or this is the last batch of documents the Shadow Brokers stole from the United States intelligence organization.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

The Shadow Brokers who previously stole and leaked a portion of the NSA hacking tools and exploits is back with a Bang!

The hacking group is now selling another package of hacking tools, “Equation Group Windows Warez,” which includes Windows exploits and antivirus bypass tools, stolen from the NSA-linked hacking unit, The Equation Group.

For those unfamiliar with the topic, The Shadow Brokers is a notorious group of black-hat hackers who, in August 2016, leaked exploits, security vulnerabilities, and "powerful espionage tools" created by The Equation Group.

On Saturday, the Shadow Brokers posted a message on their ZeroNet based website, announcing the sale of the entire "Windows Warez" collection for 750 Bitcoin (around US$678,630).

Interestingly, the Remote Administration Tool (RAT) "DanderSpritz" included in the list is the one previously leaked in the NSA's documents revealed by Edward Snowden.

Besides this, malware researcher Jacob Williams analyzed the archive of "screenshots and output of the find command across the dump" provided by the hacker as an evidence of legitimacy and estimated that the tools may also include a Fully Undetectable Malware (FUD) toolkit.

The buyers can purchase the entire database of hacking tools that The Equation Group used against various countries to expand its espionage operations.

In August, the Shadow Brokers announced an auction attempting to sell the complete set of tools to the highest bidder, but the group canceled their auction in October due to little or no response on their public sale.

But since this time the group has made Windows hacking tools up for sale, the chances are that hackers and espionage groups would be interested in buying these hacking tools.

The hacker group calling itself the Shadow Brokers, who previously claimed to have leaked a portion of the NSA’s hacking tools and exploits, is back with a Bang!

The Shadow Brokers published more files today, and this time the group dumped a list of foreign servers allegedly compromised by the NSA-linked hacking unit, Equation Group, in various countries to expand its espionage operations.

Top 3 Targeted Countries — China, Japan, and Korea

The data dump [Download / File Password: payus] that experts believe contains 306 domain names, and 352 IP addresses belong to at least 49 countries. As many as 32 domains of the total were run by educational institutes in China and Taiwan.

A few target domains were based in Russia, and at least nine domains include .gov websites.

The latest dump has been signed by the same key as the first Shadow Brokers’ dump of NSA exploits, though there is a lot to be done to validate the contents of the leaked data dump fully.

Targeted Systems — Solaris, Unix, Linux and FreeBSD

Most of the affected servers were running Solaris, Oracle-owned Unix-based operating system, while some were running FreeBSD or Linux.

Each compromised servers were reportedly targets of INTONATION and PITCHIMPAIR, code-names given for cyber-spy hacking programs.

The data dump also contains references to a list of previously undisclosed Equation Group tools, including Dewdrop, Incision, Orangutan, Jackladder, Reticulum, Patchicillin, Sidetrack and Stoicsurgeon.

The tools as mentioned above could be hacking implants, tools or exploits used by the NSA's notorious group.

Security researcher Mustafa Al-Bassam, an ex-member of Lulzsec and the Anonymous hacking collective, said the NSA likely compromised all the servers between 2000 and 2010.

"So even the NSA hacks machines from compromised servers in China and Russia. This is why attribution is hard," Al-Bassam added.

Are Hackers trying to influence U.S. Presidential elections?

A message accompanying the leaked data dump calls for attempts to disrupt the forthcoming United States presidential election. The portion of message from the Shadow Brokers reads:

"TheShadowBrokers is having suggestion. On November 8th, instead of not voting, maybe be stopping the vote all together? Maybe being grinch who stopped the election from coming? Maybe hacking election is being the best idea? #hackelection2016."

Targeted victims can use the leaked files in an effort to determine if they were the potential target of the NSA-linked hacking unit.

Since the records are old, many servers should now be clean of infection. However, a brief Shodan scan of these domains indicates that some of the affected servers are still active and still running old, possibly-vulnerable systems.

You might have heard about the recent ongoing drama of NSA hack that has sparked a larger debate on the Internet concerning abilities of US intelligence agencies as well as their own security.

Saturday morning the news broke that a mysterious group of hackers calling themselves "The Shadow Brokers" claimed it hacked an NSA-linked group and released some NSA hacking tools with a promise to sell more private "cyber weapons" to the highest bidder.

The group dumped a bunch of private hacking tools from "Equation Group" – an elite cyber attack unit linked to the NSA – on GitHub and Tumblr.

The Shadow Brokers hacking group has published the leaked data in two parts; one includes many hacking tools designed to inject malware into various servers and another encrypted file containing the "best files" that they made available for sale for 1 Million Bitcoins.

However, GitHub deleted the files from its page, not due to any government pressure, but because the hackers were demanding cash to release more data and the company's policy don't allow the auction or sale of stolen property on its source code management platform.

NSA Hack Raises a Few Important Question? The leak of advanced hacking tools allegedly stolen from the Equation Group has raised few questions in everyone's mind:

Is Equation Group an elite cyber attack unit linked to the NSA?

Are the Equation Group Hack and leaked exploits legitimate?

If Legit, Do the advanced hacking tools actually belong to Equation Group?

Who is behind the hack? Russia?

Here's all you need to know about the NSA Hack:

Kaspersky Confirmed: Leaked Hacking Tools Belong to NSA-tied Group

According to a technical report published Tuesday by security firm Kaspersky Lab, the leaked advanced hacking tools contains digital signatures that are identical to those in hacking software and malware previously used by the Equation Group.

"While we cannot surmise the attacker's identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation group," Kaspersky researchers said in a blog post.

Over 300 computer files found in the Shadow Brokers archive have a common implementation of RC5 and RC6 encryption algorithms – which has been used extensively by the Equation Group.

Also, the implementation of encryption algorithms is identical to the RC5 and RC6 code in the Equation Group malware.

"There are more than 300 files in the Shadow Brokers' archive which implement this specific variation of RC6 in 24 other forms," the researcher wrote. "The chances of all these being fakes or engineered is highly unlikely."

"The code similarity makes us believe with a high degree of confidence that the tools from the Shadow Brokers' leak are related to the malware from the Equation group."

Here's the comparison of the older Equation RC6 code and the code from the new leak, which shows that they have identical functionally and share rare specific traits in their implementation:

Kaspersky Lab previously linked Equation Group to the NSA, describing it as "a threat actor that surpasses anything known in terms of complexity and sophistication of techniques, and that has been active for almost two decades."

The security firm also claimed Equation Group to be behind a variety of malware types, including Stuxnet and Flame, which are associated with cyber attacks launched by the United States.

Former NSA Personnel also Confirms the Authenticity of Leaked Data

Now, adding more proofs to the possibility and making the speculations stronger, some ex-NSA insiders say the leaked hacking tools are legitimate and linked to the NSA.

One former NSA employee who worked in its special hacking division, Tailored Access Operations (TAO), told the Washington Post that "without a doubt, they're the keys to the kingdom."

"The stuff you are talking about would undermine the security of a lot of major government and corporate networks both here and abroad," said the former TAO employee, who asked Post to remain anonymous.

Moreover, another former TAO employee who also saw the leaked file said, "From what I saw, there was no doubt in my mind that it was legitimate."

So, after Kaspersky Labs analysis and former-TAO employees statements, it is clear that the leaked NSA hacking tools are legitimate.

Hack Or An Inside Job?

Moreover, it has also been speculated that the NSA hack could be an insider’s job, as concluded by Matt Suiche, founder of UAE-based security startup after he discussed this incident with a former NSA TAO employee.

"The repository containing the NSA TAO Toolkit is stored on a physically segregated network which does not touch the internet and has no reason to (remember it's a toolkit repository)," Suiche wrote in a blog post.

"There is no reason for those files to have ever been on a staging server in the first place unless someone did it on purpose. The file hierarchy and the unchanged file naming convention tends to say that the files were directly copied from its source."

Experts and Snowden suggest Russia is behind the NSA Hack

Most cyber security experts, as well as former NSA contractor and whistleblower Edward Snowden, believes Russia to be behind the NSA hack.

Several officials from US intelligence agencies and security companies have pointed fingers towards Russia for the recent Democratic hacks, though Russia has denied any involvement.

"The Federal Bureau of Investigation and U.S. intelligence agencies have been studying the Democratic hacks, and several officials have signaled it was almost certainly carried out by Russian-affiliated hackers," the WSJ reports. "Russia has denied any involvement, but several cybersecurity companies have also released reports tying the breach to Russian hackers."

Now, both Snowden and Dave Aitel, a security expert who spent 6 years as an NSA security scientist, are speculating that the latest leak by the Shadow Brokers is in response to growing tensions between the United States and Russia over the Democratic groups' hacks.

In a stream of tweets yesterday, Snowden said the hack is likely of Russian origin, tweeting "No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack."

Here's the combined statement by Snowden:

This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server. That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies. Particularly if any of those operations targeted elections. Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks. TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast."

Following Snowden tweets, Aitel also published a blog post, saying Russia is the most likely suspect behind the Democratic hacks as well as the latest leak of the NSA spying tools.

Apart from speculation, Wikileaks, which previously made it clear to harm Hillary Clinton's chances from becoming US President, also said it already own the "auction" files from the Shadow Brokers and will publish them in "due course," though the tweet has since been deleted.

Still, many questions remain unanswered — who is the Shadow Brokers, how the group broke into Equation Group and stole their private hacking tools and malware, and is the group really willing to bid the auction files for 1 Million Bitcoins or is it just a distraction?

An unknown hacker or a group of hackers just claimed to have hacked into "Equation Group" -- a cyber-attack group allegedly associated with the United States intelligence organization NSA -- and dumped a bunch of its hacking tools (malware, private exploits, and hacking tools) online.

I know, it is really hard to believe, but some cybersecurity experts who have been examining the leak data, exploits and hacking tools, believe it to be legitimate.

Hacker Demands $568 Million in Bitcoin to Leak All Tools and Data

Not just this, the hackers, calling themselves "The Shadow Brokers," are also asking for 1 Million Bitcoins (around $568 Million) in an auction to release the 'best' cyber weapons and more files.

Widely believed to be part of the NSA, Equation Group was described as "a threat actor that surpasses anything known in terms of complexity and sophistication of techniques, and that has been active for almost two decades," according to a report published by security firm Kaspersky in 2015.

Equation Group was also linked to the previous infamous Regin and Stuxnet attacks, allegedly the United States sponsored hacks, though the link was never absolutely proven.

Two days back, The Shadow Brokers released some files, which it claimed came from the Equation Group, on Github (deleted) and Tumblr.

Exploits for American & Chinese Firewalls Leaked:

The files mostly contained installation scripts, configurations for command-and-control (C&C) servers, and exploits allegedly designed to target routers and firewalls from American manufacturers including, Cisco, Juniper, and Fortinet.

According to the leaked files, Chinese company 'Topsec' was also an Equation Group target.

The leak mentioned names of some of the hacking tools that correlate with names used in the documents leaked by whistleblower Edward Snowden, like "BANANAGLEE" and "EPICBANANA."

"We follow Equation Group traffic," says the Shadow Broker. "We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files."

It is yet not confirmed whether the leaked documents are legitimate or not, but some security experts agree that it likely is.

While some are saying that the leak could be a very well-researched hoax, and the Bitcoin auction could be nothing but a distraction in an attempt to gain media attention.

"If this is a hoax, the perpetrators put a huge amount of effort in," security researcher The Grugq told Motherboard. "The proof files look pretty legit, and they are exactly the sorts of exploits you would expect a group that targets communications infrastructure to deploy and use."

However, if NSA has successfully been hacked, the hack would be a highly critical cyber security incident.

The U.S. National Security Agency (NSA) may be hiding highly-sophisticated hacking payloads in the firmware of consumer hard drives over the last 15 to 20 years in a campaign, giving the agency the means to eavesdrop on thousands of targets’ computers, according to an analysis by Kaspersky labs and subsequent reports.

'EQUATION GROUP' BEHIND THE MALWARE

The team of malicious actors is dubbed the the "Equation Group" by researchers from Moscow-based Kaspersky Lab, and describes them as "probably one of the most sophisticated cyber attack groups in the world," and "the most advanced threat actor we have seen."

The security researchers have documented 500 infections by Equation Group and believes that the actual number of victims likely reaches into the tens of thousands because of a self-destruct mechanism built into the malware.

TOP MANUFACTURERS' HARD DRIVES ARE INFECTED

Russian security experts reportedly uncovered state-created spyware hidden in the hard drive firmware of more than dozen of the largest manufacturers brands in the industry, including Samsung, Western Digital, Seagate, Maxtor, Toshiba and Hitachi.

These infected hard drives would have given the cyber criminals persistence on victims' computers and allowed them to set up secret data stores on the machines, which is only accessible to the malicious hackers.

UNABLE TO REMOVE THE INFECTION

One of the most sophisticated features of these notorious piece of hacking tools is the ability to infect not just the files stored on a hard drive, but also the firmware controlling the hard drive itself. The malware is hidden deep within hard drives in such a way that it is difficult to detect or remove it.

If present, once the victim insert that infected storage (such as a CD or USB drive) into an internet-connected PC, the malicious code allows hackers to snoop victims' data and map their networks that would otherwise be inaccessible.

Because the malware isn't sitting in regular storage, so it is almost impossible for a victim to get rid of it or even detect it. Such an exploit could survive a complete hard drive wipe, or the re-installation of an operating system, and "exceeds anything we have ever seen before," the company's researchers wrote in a re​p​ort.

MORE ADVANCED TECHNIQUES USED BY EQUATION GROUP

The firm recovered two modules belonging to Equation group, dubbed EquationDrug and GrayFish. Both were used to reprogram hard drives to give the malicious hackers ability to persistently control over a target machine.

GrayFish can install itself into computer's boot record — a software code that loads before the operating system itself — and stores all of its data inside a portion of the operating system known as the registry, where configuration data is normally stored.

EquationDrug, on the other hand, was designed to be used on older versions of Windows operating systems, and "some of the plugins were designed originally for use on Windows 95/98/ME" — very old versions of Windows OS that they offer a good indication of the Equation Group's age.

TARGETED COUNTRIES AND ORGANISATIONS

The campaign infected tens of thousands of personal computers with one or more of the spying programs in more than 30 countries, with most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria.

The targets included government and military institutions, telecommunication providers, banks and financial institutions, energy companies, nuclear researchers, mass media organisations, and Islamic activists among others.

'ANCESTOR' OF STUXNET & FLAME

Security researchers are calling the malware as the "ancestor" of Stuxnet and Flame, the most sophisticated and powerful threats that were specially designed to spy and sabotage ICS and SCADA systems.

LINKS TO NSA

Kaspersky declined to publicly name the country or agency behind the spying campaign, but said it was closely linked to Stuxnet — the NSA-led cyberweapon that was used to sabotage the Iran's uranium enrichment facility.

Also, the similarities when combined with previously published NSA hard drive exploits have led many to speculate that the campaign may be part of the NSA program. NSA is the agency responsible for global surveillance program uncovered by Whistleblower Edward Snowden.

Another reason is that most of the infections discovered by the Moscow-based security firm have occurred in countries that are frequently US spying targets, such as China, Iran, Pakistan and Russia.

Meanwhile, Reuters reported sources formerly working with the NSA confirmed the agency was responsible for the attacks and developed espionage techniques on this level.

NSA INVOLVEMENT COULD BE RISKY

In case, if NSA found to be involved, the malicious program would have given the NSA unprecedented access to the world's computers, even when the computers are disconnected from the outer web. Computer viruses typically get activated as soon as a device is plugged in, with no further action required, and this because the viruses are stored on a hard drive's firmware.

Back in July, independent security researchers discovered a similar exploit targeting USB firmware — dubbed BadUSB — however there was no indication of the bugs being developed and deployed by Equation Group at this scale.

The issue once again raises the questions about the device manufacturers' complicity in the program. They should take extensive and sustained reverse engineering in order to successfully rewrite a hard drive's firmware.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]